On Mon, Sep 06, 2004 at 02:43:57PM +0200, Herbert Poetzl wrote: > hmm, sounds reasonable, but what if root accesses it? > (or somebody with the 'right' capability) > > - it might be strange if even root is not able to > open device nodes or execute files from an archive
Yes, but if the file is owned by or writable for non-root then you've got a security problem. So, unless owned by root and not writable (readable, executable?) for anyone else "nodev" and 'nosuid" are mandatory. > > - it might lead to interesting situations if the > archive is opened by root, but accessed by an user > (thinking of caches and such) See the above. Alternatively, each process could have its own vfsmount (please don't shoot me for suggesting this ;-) -- Frank
